November 07, 2024
Archive

ID theft law expanding in Maine State agencies will be required to notify victims of stolen data

AUGUSTA – After weeks of mind-boggling attempts, a brilliant hacker cracks the firewall of the state’s computer child support database and within minutes downloads more than 300,000 Social Security numbers and individual bank routing codes onto his laptop.

At another department, a bored state employee is killing time at an online porn site and unknowingly downloads a virus that races through the state income tax collection database relaying names and information about thousands of taxpayers to a remote computer.

These incidents didn’t happen in Maine, but if they had, you may not have found out about it.

Until a recently enacted law becomes effective Jan. 31, 2007, Maine state agencies are not required to notify you if your information is stolen from any of the state’s computer databases.

Incidents like the child support breach in Nebraska or income tax hacking in Oregon are among a few examples cited on the Web site of stateline.org, a daily online publication of The Pew Research Center that focuses on policy issues affecting state government. Until recently, Maine was mentioned on the site in a report filed by the California-based Privacy Rights Clearinghouse. The data security watchdog group identified Maine as among 11 states requiring private-sector firms to notify victims of computer database security breaches but exempting state agencies from the same responsibility.

Richard B. Thompson, chief information officer at the Maine Office of Information Technology, said a bill signed by the governor in April officially addresses the state’s exemption from mandatory reporting. The actual implementation date of the law has been delayed until Jan. 31, 2007, to allow state departments time to develop internal policies for compliance.

“There have been no security breaches to date,” Thompson said during a recent interview. “In the unlikely event one should occur, we would voluntarily notify any affected persons. Security of personal data is the highest priority in our department and we wanted to be pro-active on this issue, which is why we recommended the changes to the Legislature as a revision to existing law last February.”

That was a good move, according to Paul Stephens, a policy analyst at Privacy Rights Clearinghouse, who noted that prior to the Maine Legislature’s adoption of LD 2017 earlier this year, Maine did not require state agencies to report security breaches and also limited the law’s application to “information brokers,” in effect, companies that purchase personal information for marketing purposes. The new law strikes all references to information broker and replaces it with “person” so the law now applies to any entity or individual, including the state.

“Obviously we think there ought to be a security breach law everywhere,” Stephens said. “Without a security breach law, a state is under no obligation to notify the individuals who are impacted by it.”

Rep. Anne Perry, D-Calais and House chairman of the Legislature’s Insurance and Financial Services Committee, credited businesses, state institutions, financial institutions, colleges and universities with working together to close the loophole in existing state law regarding reporting of security breaches.

“I want you to know that there is truly a good-faith effort made by those who hold your personal information to protect you from the harm of identity theft,” she said in a prepared statement. “They understand that by notifying a consumer of a breach early in the process, less damage occurs.”

Perry said LD 2017 requires that if there is any question of identity theft in an agency or business that it be investigated and residents of this state be notified if the misuse of information has occurred or if it is reasonably possible that misuse will occur.

“This is to be done as expediently as possible and without unreasonable delay,” she said.

The new law adds private and state schools and universities and state government to the list of parties responsible for reporting misuse of information and includes the University of Maine System, the Maine Community College System, and Maine Maritime Academy.

“This school and university component is particularly important because, as disturbing as it is, the greatest incidents of identity breach occur at colleges and universities,” said Perry.

Equally important, Perry said, is the law’s requirement that the state’s chief information officer develop standards and policies requiring notification by state agencies to Maine residents upon a security breach of personal information. This sets up a defined policy to deal with a breach of information within state agencies

The legislator said the consequences of not reporting breaches are defined within the language of the law, including civil fines of up to $2,500 for each day an offender remains in violation along with other equitable and injunctive remedies.

“We live in such an electronic world,” Perry said. “Opportunities to abuse personal data are plentiful. This law is of great importance at this time and strengthens our resolve to protect Maine consumers.”

Identity theft continues to evolve as one of the country’s fastest-growing white-collar crimes. One recent survey reported by The Associated Press concluded there have been more than 28 million new identity theft victims since 2003, but experts say many incidents go undetected or unreported.


Have feedback? Want to know more? Send us ideas for follow-up stories.

comments for this post are closed

You may also like